SANS ISC InfoSec Forums

Here is another sample that I found in my spam trap. The technique to infect the victim's computer is interesting. I captured a mail with a malicious RTF document (SHA256: c247929d3f5c82247db9102d2dec28c27f73dc0824f8b386f92aad1a22fd8edd)[1] that exploits the OLE2Link vulnerability (CVE-2017-0199[2]). Once opened, the document fetches the following URL:

It kills the existing winword.exe processes. For different versions of Microsoft Office (from 12.0 to 16.0), it scans the latest opened documents and extracts the one that was just opened. From the original document, another one is extracted at offset 1736901 (0x1A80C5) and a new Word instance is spawned to display it. It's just a simple form, not malicious (SHA256: c73573f83fe53cb076c5cc1156c1356f4e92424a9f1824511327fcf4dfc70c79). In parallel, the original is also padded with a PE file starting at offset 62654 (0xF4BE):